Question

Visit the web site of one of the following government agencies:

•            Federal Trade Commission

•            FFIEC

•            Federal Drug Administration

Search the site for information about the agency’s standards related to information security. Study the information you find and draw some conclusions about it. How are the regulations presented? How easily can businesses access and follow these regulations? Summarize your findings in a brief report (06 - 08 pages)

Answer 1

Federal Trade Commission:

Information Security:

Many companies keep sensitive personal information about customers or employees in their files or on their network. Having a sound security plan in place to collect only what you need, keep it safe, and dispose of it securely can help you meet your legal obligations to protect that sensitive data. The Federal Trade Commission has free resources for businesses of any size.

Firstly,I will explain about the guidance that federal trade commission set up:

APP DEVELOPERS: START WITH SECURITY:

More than a thousand new apps are hitting the market each day. In this fast-moving era of entrepreneurship and creativity, is security keeping up? Apps and devices often rely on consumer data — including contact information, photos, and location to name a few — and can be vulnerable to digital snoops, data breaches, and real-world thieves. The Federal Trade Commission (FTC), the nation’s consumer protection agency, offers these tips to help developers approach app and software security.

Aim for reasonable data security

There is no checklist for securing all apps. Different apps have different security needs. For example, an alarm clock app that collects little or no data will likely raise fewer security considerations than a location-based social network. Apps that are more complex may rely on remote servers for storing and manipulating users’ data, meaning that developers must be familiar with securing software, securing transmissions of data, and securing servers. Adding to the challenge: Security threats and best practices evolve quickly.

The FTC expects app developers to adopt and maintain reasonable data security practices and doesn’t prescribe a one-size-fits-all approach. This brochure offers a starting point to help you provide a secure experience for your users. If applied thoughtfully and consistently, these tips can help protect you, your users, and the reputation of your app.

Before you start, evaluate the ecosystem

The mobile and Internet of Things ecosystem present developers with both challenges and opportunities. Before getting into the nuts and bolts of data security, consider the landscape:

• App developers can code quickly with the support of powerful software development kits (SDKs). However, a rush to release may result in dangerous security oversights.
• Popular app stores can introduce apps to millions of users, and can lead to overnight popularity. But the bigger the user base and the more sensitive the information, the greater the need for strong security. Is your app ready?
• Ready-made software libraries and cross-platform toolkits can provide a head start in the development process. However, as a developer, you are your app’s last line of defense, determining what goes in it and how it performs.
• Mobile and Internet-connected devices offer an array of exciting technologies. GPS receivers, cameras, and sensors let you create a unique experience for users. But threats — like loss, theft, and users who rely on unsecure Wi-Fi networks — raise the security stakes. Balance these features and risks to protect users’ personal information and your own business reputation.

• Getting your product working and accepted by an app store are two key milestones. But there’s a critical third step: Anticipating and preventing potential security glitches.

  Tips for app security

  Make someone responsible for security.

  Your team should include at least one person responsible for considering security at every stage of your app’s development. If you’re running a solo operation, that person is you. It’s easy to assume someone else is handling security — whether that someone is a mobile operating system provider, a device manufacturer, or another member of the development team. It’s true that everyone has a role to play, but as the developer, you’re the final line of defense.

  Take stock of the data you collect and retain.

  Don’t collect or keep data you don’t need. For example, if your photo-editing app doesn’t require access to a user’s contact info, don’t ask for it. Simply put, data you don’t collect is data you don’t need to worry about protecting. Avoid keeping data longer than you need to. For example, if you offer a location-based mobile game, get rid of the location data when it’s no longer relevant.

  Understand differences between platforms.

  Research the platforms you work with and make sure you enable proper configurations. Each mobile operating system uses different application programming interface (APIs), provides you with different security-related features, and handles permissions its own way. Don’t expect that one platform works exactly like another. Do your research and adapt your code accordingly.

  Don’t rely on a platform alone to protect your users.

  Platforms often provide helpful security features. But it’s your job to understand those features (and their limitations), implement them properly, and take other measures necessary to protect your users. In addition, while platform-based permissions might be helpful in conveying security information to your customers, they’re no substitute for your own effective communication. Talk to your users in your own words.

  Generate credentials securely.

  If you create credentials for your users (like usernames and passwords), create them securely. For example, a short number string might be an appropriate token for authenticating a user on a game score board, but the same credential wouldn’t be appropriate for a social networking app.

  Don’t store passwords in plaintext.

  Don’t store passwords in plaintext on your server. Instead, consider using an iterated cryptographic hash function to hash users’ passwords and then verify against these hash values. (Your users can simply reset their passwords if they forget.) That way, if your server suffers a data breach, passwords aren’t left completely exposed.

  Use transit encryption for usernames, passwords, and other important data.

  Anytime your app transmits usernames, passwords, API keys, or other types of important data, use transit encryption. Mobile and Internet-connected devices commonly rely on open Wi-Fi access points at coffee shops, airports, and the like — and it’s easy for troublemakers to snoop and intercept data.

  To protect users, developers often deploy TLS in the form of HTTPS. Consider using HTTPS or another industry-standard method. There’s no need to reinvent the wheel. If you use HTTPS, use a digital certificate and ensure your app checks it properly. A no-frills digital certificate from a reputable vendor is inexpensive and helps your customers ensure they’re communicating with your servers, and not someone else’s. But standards change, so keep an eye on current technologies, and make sure you’re using the latest and greatest security features.

  Use due diligence on libraries and other third-party code.

  Before using someone else’s code to build or augment your app, do your research. Does this library or SDK have known security vulnerabilities? Has it been tested in real-world settings? Have other developers reported problems? Third-party libraries can save time, but make sure you stay accountable for your app.

  Consider protecting data you store on a user’s device.

  If your app handles personal information, consider protecting or obscuring the data — for example, by using encryption. Some platforms have special storage schemes for sensitive data like passwords and keys. Use them if they’re available. This helps protect your users in the event of viruses, malware, or a lost device.

  Protect your servers, too.

  If you maintain a server that communicates with your app, take appropriate security measures to protect it. If you rely on a commercial cloud provider, understand the divisions of responsibility for securing and updating software on the server. While some commercial services will monitor and update your servers’ security, others leave you in control.

  Server security is its own complex topic, so do some research. Take steps to protect yourself from common vulnerabilities, including injection attacks, cross-site scripting, and other threats.

what does Federal Commission do?

The FTC is a bipartisan federal agency with a unique dual mission to protect consumers and promote competition. For one hundred years, our collegial and consensus-driven agency has championed the interests of American consumers. As we begin our second century, the FTC is dedicated to advancing consumer interests while encouraging innovation and competition in our dynamic economy.

The FTC develops policy and research tools through hearings, workshops, and conferences. We collaborate with law enforcement partners across the country and around the world to advance our crucial consumer protection and competition missions. And beyond our borders, we cooperate with international agencies and organizations to protect consumers in the global marketplace.

1.PROTECTING CONSUMERS

The FTC protects consumers by stopping unfair, deceptive or fraudulent practices in the marketplace. We conduct investigations, sue companies and people that violate the law, develop rules to ensure a vibrant marketplace, and educate consumers and businesses about their rights and responsibilities. We collect complaints about hundreds of issues from data security and deceptive advertising to identity theft and Do Not Call violations, and make them available to law enforcement agencies worldwide for follow-up. Our experienced and motivated staff uses 21st century tools to anticipate – and respond to – changes in the marketplace.

2.PROMOTING COMPETITION

Competition in America is about price, selection, and service. It benefits consumers by keeping prices low and the quality and choice of goods and services high. By enforcing antitrust laws, the FTC helps ensure that our markets are open and free. The FTC will challenge anticompetitive mergers and business practices that could harm consumers by resulting in higher prices, lower quality, fewer choices, or reduced rates of innovation. We monitor business practices, review potential mergers, and challenge them when appropriate to ensure that the market works according to consumer preferences, not illegal practices.

Commissioners:

The Commission is headed by five Commissioners, nominated by the President and confirmed by the Senate, each serving a seven-year term. No more than three Commissioners can be of the same political party. The President chooses one Commissioner to act as Chairman.

1. Joseph J. Simons - Chairman
2. Noah Joshua Phillips - Commissioner
3. Rohit Chopra - Commissioner
4. Rebecca Kelly Slaughter - Commissioner
5. Christine S. Wilson - Commissioner

BUREAUS under Federal Trade Commission:

• The Bureau of Competition seeks to prevent anticompetitive mergers and other anticompetitive business practices in the marketplace. By enforcing the antitrust laws, the Bureau promotes competition and protects consumers' freedom to choose goods and services in an open marketplace at a price and quality that fit their needs.
• The Bureau of Consumer Protection's mandate is to protect consumers against unfair, deceptive or fraudulent practices. The Bureau enforces a variety of consumer protection laws enacted by Congress, as well as trade regulation rules issued by the Commission. Its actions include individual company and industry-wide investigations, administrative and federal court litigation, rulemaking proceedings, and consumer and business education. In addition, the Bureau contributes to the Commission's on-going efforts to inform Congress and other government entities of the impact that proposed actions could have on consumers.
• The Bureau of Economics helps the FTC evaluate the economic impact of its actions. To do so, the Bureau provides economic analysis and support to antitrust and consumer protection investigations and rulemakings. It also analyzes the impact of government regulation on competition and consumers and provides Congress, the Executive Branch and the public with economic analysis of market processes as they relate to antitrust, consumer protection, and regulation.

OFFICES under Federal Trade Commission:

• Financial Management Office
• Office of Administrative Law Judges
• Office of Congressional Relations
• Office of Equal Employment Opportunity and Workplace Inclusion
• Office of International Affairs
• Office of the Executive Director
• Office of the General Counsel
• Office of Policy Planning
• Office of Public Affairs
• Office of the Secretary
• Office of the Chief Privacy Officer
• Regional Offices

performance of Federal Trade Commission in last three years :

FTC Fiscal Year 2019 Performance:

• Identify, stop, and take action against illegal, deceptive, and unfair practices through consumer protection and competition law enforcement.
• Provide consumers and businesses with knowledge and tools that provide guidance and prevent harm.
• Enhance benefits to consumers through research, reports, and advocacy.
• Protect consumers from domestic and international deceptive and anticompetitive practices.
• Collaborate with domestic and international partners to enhance their capability and capacity to protect consumers and promote competition.

FTC Fiscal Year 2018 Performance:

• Identify, stop, and take action against illegal, deceptive, and unfair practices through consumer protection and competition law enforcement.
• Provide consumers and businesses with knowledge and tools that provide guidance and prevent harm.
• Enhance benefits to consumers through research, reports, and advocacy.
• Protect consumers from domestic and international deceptive and anticompetitive practices.
• Collaborate with domestic and international partners to enhance their capability and capacity to protect consumers and promote competition.

FTC Fiscal Year 2017 Performance:

• • Identify, stop, and take action against illegal practices through law enforcement .
• Prevent consumer injury through education of consumers and businesses .
• Enhance consumer benefit through research, reports, and advocacy .
• Protect American consumers from domestic and international deceptive and anticompetitive practices .

Therefore,if you clearly observe FTC's tasks for 2018 and 19 are similar,and the implementation was also same till end.

Office of Inspector General:

In compliance with the Inspector General Act Amendments of 1988 (5 U.S.C. app.), the Office of Inspector General (OIG) was established in 1989 as an independent and objective organization within the FTC. This Act was an amendment to the original Inspector General Act of 1978 (IG Act).

Under the IG Act, as amended, the OIG is responsible for conducting audits and investigations relating to the programs and operations of the FTC. Audits are conducted for the purpose of finding and preventing fraud, waste and abuse and to promote economy, efficiency and effectiveness within the agency. OIG investigations seek out facts related to allegations of wrongdoing on the part of FTC employees and individuals or entities having contracts with or obtaining benefits from the agency.

OIG Audits and Evaluations:

The OIG conducts audits, evaluations and reviews of agency programs and activities. In general, these activities involve an examination and analysis of FTC bureaus or offices, programs or operations. The auditor may analyze and verify agency records and obtain information by interviews, questionnaires, and physical inspections. Audits are selected based on a number of factors, including (i) statutory requirements; (ii) materiality of the activity; (iii) agency staff comments regarding perceived vulnerabilities or inefficiencies; and (iv) issues brought to our attention from individuals outside the agency, including Congress, the media and the public.

The OIG performs its audits and evaluations in accordance with applicable standards issued by the Comptroller General of the United States and CIGIE.

Final audit reports are generally provided to the Commission, management officials responsible for implementing the recommendations, and to the agency's executive director. Audit and evaluation reports are public documents and are available on the OIG's website.

The OIG also prepares an annual report of the top management challenges facing the agency. This report is included in the agency’s annual Agency Financial Report to Congress.

OIG Investigations:

The OIG investigates allegations of fraud, waste, abuse and/or misconduct involving FTC employees, contractors or entities conducting business with the FTC. OIG investigations address criminal, civil, and administrative violations of laws and regulations.

An employee who is the subject of an OIG investigation is afforded his or her rights regarding representation and self-incrimination. In addition, all OIG investigations are conducted in accordance with the “Quality Standards for Investigations,” published by the Council of the Inspectors General on Integrity and Efficiency.

The subject of an OIG investigation can be any agency employee, an FTC contractor, consultant or a person or entity involved in alleged wrongdoing affecting FTC programs and operations.

FTC employees have a duty to cooperate with the OIG and must respond to questions posed by an OIG investigator unless they have been advised that they are the subject of a criminal investigation. Intentional falsification or concealment of a material fact in connection with an OIG investigation could constitute a violation of law and result in disciplinary action or criminal prosecution.

At the conclusion of an OIG investigation, the OIG investigator prepares a report that sets forth the allegations and an objective description of the facts developed during the investigation. The investigative report does not include recommendations. The OIG refers investigative reports that identify criminal activity or fraud to the Department of Justice for possible prosecution or recovery of monetary damages and penalties. If administrative misconduct is found, the OIG forwards the report to the appropriate management officials for consideration of disciplinary action. OIG investigative reports are not public documents and are not available on the OIG website.

Businesses access and the regulations in federal trade commission:

In addition to Protecting Personal Information, the FTC has resources to help you think through how those principles apply to your business. There’s an online tutorial to help train your employees; publications to address particular data security challenges; and news releases, blog posts, and guidance to help you identify – and possibly prevent – pitfalls.

There’s another source of information about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements – no findings have been made by a court – and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, here are ten lessons to learn that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.

1. START WITH SECURITY:

From personal data on employment applications to network files with customers’ credit card numbers, sensitive information pervades every part of many companies. Business executives often ask how to manage confidential information. Experts agree on the key first step: Start with security. Factor it into the decisionmaking in every department of your business – personnel, sales, accounting, information technology, etc. Collecting and maintaining information “just because” is no longer a sound business strategy. Savvy companies think through the implication of their data decisions. By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road. Of course, all of those decisions will depend on the nature of your business. Lessons from FTC cases illustrate the benefits of building security in from the start by going lean and mean in your data collection, retention, and use policies.

• Don’t collect personal information you don’t need:

Here’s a foundational principle to inform your initial decision-making: No one can steal what you don’t have. When does your company ask people for sensitive information? Perhaps when they’re registering online or setting up a new account. When was the last time you looked at that process to make sure you really need everything you ask for? That’s the lesson to learn from a number of FTC cases. For example, the FTC’s complaint against RockYou charged that the company collected lots of information during the site registration process, including the user’s email address and email password. By collecting email passwords – not something the business needed – and then storing them in clear text, the FTC said the company created an unnecessary risk to people’s email accounts. The business could have avoided that risk simply by not collecting sensitive information in the first place.

Hold on to information only as long as you have a legitimate business need.

Sometimes it’s necessary to collect personal data as part of a transaction. But once the deal is done, it may be unwise to keep it. In the FTC’s BJ’s Wholesale Club case, the company collected customers’ credit and debit card information to process transactions in its retail stores. But according to the complaint, it continued to store that data for up to 30 days – long after the sale was complete. Not only did that violate bank rules, but by holding on to the information without a legitimate business need, the FTC said BJ’s Wholesale Club created an unreasonable risk. By exploiting other weaknesses in the company’s security practices, hackers stole the account data and used it to make counterfeit credit and debit cards. The business could have limited its risk by securely disposing of the financial information once it no longer had a legitimate need for it.

• Don’t use personal information when it’s not necessary:

You wouldn’t juggle with a Ming vase. Nor should businesses use personal information in contexts that create unnecessary risks. In the Accretive case, the FTC alleged that the company used real people’s personal information in employee training sessions, and then failed to remove the information from employees’ computers after the sessions were over. Similarly, in foru International, the FTC charged that the company gave access to sensitive consumer data to service providers who were developing applications for the company. In both cases, the risk could have been avoided by using fictitious information for training or development purposes.

2. CONTROL ACCESS TO DATA SENSIBLY:

Once you’ve decided you have a legitimate business need to hold on to sensitive data, take reasonable steps to keep it secure. You’ll want to keep it from the prying eyes of outsiders, of course, but what about your own employees? Not everyone on your staff needs unrestricted access to your network and the information stored on it. Put controls in place to make sure employees have access only on a “need to know” basis. For your network, consider steps such as separate user accounts to limit access to the places where personal data is stored or to control who can use particular databases. For paper files, external drives, disks, etc., an access control could be as simple as a locked file cabinet. When thinking about how to control access to sensitive information in your possession, consider these lessons from FTC cases.

• Restrict access to sensitive data:

If employees don’t have to use personal information as part of their job, there’s no need for them to have access to it. For example, in Goal Financial, the FTC alleged that the company failed to restrict employee access to personal information stored in paper files and on its network. As a result, a group of employees transferred more than 7,000 consumer files containing sensitive information to third parties without authorization. The company could have prevented that misstep by implementing proper controls and ensuring that only authorized employees with a business need had access to people’s personal information.

• Limit administrative access:

Administrative access, which allows a user to make system-wide changes to your system, should be limited to the employees tasked to do that job. In its action against Twitter, for example, the FTC alleged that the company granted almost all of its employees administrative control over Twitter’s system, including the ability to reset user account passwords, view users’ nonpublic tweets, and send tweets on users’ behalf. According to the complaint, by providing administrative access to just about everybody in-house, Twitter increased the risk that a compromise of any of its employees’ credentials could result in a serious breach. How could the company have reduced that risk? By ensuring that employees’ access to the system’s administrative controls was tailored to their job needs.

3. REQUIRE SECURE PASSWORDS AND AUTHENTICATION:

If you have personal information stored on your network, strong authentication procedures – including sensible password “hygiene” – can help ensure that only authorized individuals can access the data. When developing your company’s policies, here are tips to take from FTC cases.

Insist on complex and unique passwords.

“Passwords” like 121212 or qwerty aren’t much better than no passwords at all. That’s why it’s wise to give some thought to the password standards you implement. In the Twitter case, for example, the company let employees use common dictionary words as administrative passwords, as well as passwords they were already using for other accounts. According to the FTC, those lax practices left Twitter’s system vulnerable to hackers who used password-guessing tools, or tried passwords stolen from other services in the hope that Twitter employees used the same password to access the company’s system. Twitter could have limited those risks by implementing a more secure password system – for example, by requiring employees to choose complex passwords and training them not to use the same or similar passwords for both business and personal accounts.

• Store passwords securely:

Don’t make it easy for interlopers to access passwords. In Guidance Software, the FTC alleged that the company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network. Similarly, in Reed Elsevier, the FTC charged that the business allowed customers to store user credentials in a vulnerable format in cookies on their computers. In Twitter, too, the FTC said the company failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts. In each of those cases, the risks could have been reduced if the companies had policies and procedures in place to store credentials securely. Businesses also may want to consider other protections – two-factor authentication, for example – that can help protect against password compromises.

• Guard against brute force attacks:

Remember that adage about an infinite number of monkeys at an infinite number of typewriters? Hackers use automated programs that perform a similar function. These brute force attacks work by typing endless combinations of characters until hackers luck into someone’s password. In the Lookout Services, Twitter, and Reed Elsevier cases, the FTC alleged that the businesses didn’t suspend or disable user credentials after a certain number of unsuccessful login attempts. By not adequately restricting the number of tries, the companies placed their networks at risk. Implementing a policy to suspend or disable accounts after repeated login attempts would have helped to eliminate that risk.

• Protect against authentication bypass:

Locking the front door doesn’t offer much protection if the back door is left open. In Lookout Services, the FTC charged that the company failed to adequately test its web application for widely-known security flaws, including one called “predictable resource location.” As a result, a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases. The company could have improved the security of its authentication mechanism by testing for common vulnerabilities.

4. STORE SENSITIVE PERSONAL INFORMATION SECURELY AND PROTECT IT DURING TRANSMISSION:

For many companies, storing sensitive data is a business necessity. And even if you take appropriate steps to secure your network, sometimes you have to send that data elsewhere. Use strong cryptography to secure confidential material during storage and transmission. The method will depend on the types of information your business collects, how you collect it, and how you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption, or an iterative cryptographic hash. But regardless of the method, it’s only as good as the personnel who implement it. Make sure the people you designate to do that job understand how your company uses sensitive data and have the know-how to determine what’s appropriate for each situation. With that in mind, here are a few lessons from FTC cases to consider when securing sensitive information during storage and transmission.

• Keep sensitive information secure throughout its lifecycle:

Data doesn’t stay in one place. That’s why it’s important to consider security at all stages, if transmitting information is a necessity for your business. In Superior Mortgage Corporation, for example, the FTC alleged that the company used SSL encryption to secure the transmission of sensitive personal information between the customer’s web browser and the business’s website server. But once the information reached the server, the company’s service provider decrypted it and emailed it in clear, readable text to the company’s headquarters and branch offices. That risk could have been prevented by ensuring the data was secure throughout its lifecycle, and not just during the initial transmission.

• Use industry-tested and accepted methods:

When considering what technical standards to follow, keep in mind that experts already may have developed effective standards that can apply to your business. Savvy companies don’t start from scratch when it isn’t necessary. Instead, they take advantage of that collected wisdom. The ValueClick case illustrates that principle. According to the FTC, the company stored sensitive customer information collected through its e-commerce sites in a database that used a non-standard, proprietary form of encryption. Unlike widely-accepted encryption algorithms that are extensively tested, the complaint charged that ValueClick’s method used a simple alphabetic substitution system subject to significant vulnerabilities. The company could have avoided those weaknesses by using tried-and-true industry-tested and accepted methods for securing data.

• Ensure proper configuration:

Encryption – even strong methods – won’t protect your users if you don’t configure it properly. That’s one message businesses can take from the FTC’s actions against Fandango and Credit Karma. In those cases, the FTC alleged that the companies used SSL encryption in their mobile apps, but turned off a critical process known as SSL certificate validation without implementing other compensating security measures. That made the apps vulnerable to man-in-the-middle attacks, which could allow hackers to decrypt sensitive information the apps transmitted. Those risks could have been prevented if the companies’ implementations of SSL had been properly configured.

5. SEGMENT YOUR NETWORK AND MONITOR WHO’S TRYING TO GET IN AND OUT:

When designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the internet. Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity. Here are some lessons from FTC cases to consider when designing your network.

• Segment your network:

Not every computer in your system needs to be able to communicate with every other one. You can help protect particularly sensitive data by housing it in a separate secure place on your network. That’s a lesson from the DSW case. The FTC alleged that the company didn’t sufficiently limit computers from one in-store network from connecting to computers on other in-store and corporate networks. As a result, hackers could use one in-store network to connect to, and access personal information on, other in-store and corporate networks. The company could have reduced that risk by sufficiently segmenting its network.

• Monitor activity on your network.

“Who’s that knocking on my door?” That’s what an effective intrusion detection tool asks when it detects unauthorized activity on your network. In the Dave & Buster’s case, the FTC alleged that the company didn’t use an intrusion detection system and didn’t monitor system logs for suspicious activity. The FTC says something similar happened in Cardsystem Solutions. The business didn’t use sufficient measures to detect unauthorized access to its network. Hackers exploited weaknesses, installing programs on the company’s network that collected stored sensitive data and sent it outside the network every four days. In each of these cases, the businesses could have reduced the risk of a data compromise or its breadth by using tools to monitor activity on their networks.

6. SECURE REMOTE ACCESS TO YOUR NETWORK:

Business doesn’t just happen in the office. While a mobile workforce can increase productivity, it also can pose new security challenges. If you give employees, clients, or service providers remote access to your network, have you taken steps to secure those access points? FTC cases suggest some factors to consider when developing your remote access policies.

• Ensure endpoint security:

Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a computer with remote access to it. That’s the message of FTC cases in which companies failed to ensure that computers with remote access to their networks had appropriate endpoint security. For example, in Premier Capital Lending, the company allegedly activated a remote login account for a business client to obtain consumer reports, without first assessing the business’s security. When hackers accessed the client’s system, they stole its remote login credentials and used them to grab consumers’ personal information. According to the complaint in Settlement One, the business allowed clients that didn’t have basic security measures, like firewalls and updated antivirus software, to access consumer reports through its online portal. And in Lifelock, the FTC charged that the company failed to install antivirus programs on the computers that employees used to remotely access its network. These businesses could have reduced those risks by securing computers that had remote access to their networks.

• Put sensible access limits in place:

Not everyone who might occasionally need to get on your network should have an allaccess, backstage pass. That’s why it’s wise to limit access to what’s needed to get the job done. In the Dave & Buster’s case, for example, the FTC charged that the company failed to adequately restrict third-party access to its network. By exploiting security weaknesses in the third-party company’s system, an intruder allegedly connected to the network numerous times and intercepted personal information. What could the company have done to reduce that risk? It could have placed limits on third-party access to its network – for example, by restricting connections to specified IP addresses or granting temporary, limited access.

7. APPLY SOUND SECURITY PRACTICES WHEN DEVELOPING NEW PRODUCTS:

So you have a great new app or innovative software on the drawing board. Early in the development process, think through how customers will likely use the product. If they’ll be storing or sending sensitive information, is your product up to the task of handling that data securely? Before going to market, consider the lessons from FTC cases involving product development, design, testing, and roll-out.

• Train your engineers in secure coding:

Have you explained to your developers the need to keep security at the forefront? In cases like MTS, HTC America, and TRENDnet, the FTC alleged that the companies failed to train their employees in secure coding practices. The upshot: questionable design decisions, including the introduction of vulnerabilities into the software. For example, according to the complaint in HTC America, the company failed to implement readily available secure communications mechanisms in the logging applications it pre-installed on its mobile devices. As a result, malicious third-party apps could communicate with the logging applications, placing consumers’ text messages, location data, and other sensitive information at risk. The company could have reduced the risk of vulnerabilities like that by adequately training its engineers in secure coding practices.

• Follow platform guidelines for security:

When it comes to security, there may not be a need to reinvent the wheel. Sometimes the wisest course is to listen to the experts. In actions against HTC America, Fandango, and Credit Karma, the FTC alleged that the companies failed to follow explicit platform guidelines about secure development practices. For example, Fandango and Credit Karma turned off a critical process known as SSL certificate validation in their mobile apps, leaving the sensitive information consumers transmitted through those apps open to interception through man-in-the-middle attacks. The companies could have prevented this vulnerability by following the iOS and Android guidelines for developers, which explicitly warn against turning off SSL certificate validation.

• Verify that privacy and security features work:

If your software offers a privacy or security feature, verify that the feature works as advertised. In TRENDnet, for example, the FTC charged that the company failed to test that an option to make a consumer’s camera feed private would, in fact, restrict access to that feed. As a result, hundreds of “private” camera feeds were publicly available. Similarly, in Snapchat, the company advertised that messages would “disappear forever,” but the FTC says it failed to ensure the accuracy of that claim. Among other things, the app saved video files to a location outside of the app’s sandbox, making it easy to recover the video files with common file browsing tools. The lesson for other companies: When offering privacy and security features, ensure that your product lives up to your advertising claims.

• Test for common vulnerabilities:

There is no way to anticipate every threat, but some vulnerabilities are commonly known and reasonably foreseeable. In more than a dozen FTC cases, businesses failed to adequately assess their applications for well-known vulnerabilities. For example, in the Guess? case, the FTC alleged that the business failed to assess whether its web application was vulnerable to Structured Query Language (SQL) injection attacks. As a result, hackers were able to use SQL attacks to gain access to databases with consumers’ credit card information. That’s a risk that could have been avoided by testing for commonly-known vulnerabilities, like those identified by the Open Web Application Security Project (OWASP).

8. MAKE SURE YOUR SERVICE PROVIDERS IMPLEMENT REASONABLE SECURITY MEASURES:

When it comes to security, keep a watchful eye on your service providers – for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they’re meeting your requirements. FTC cases offer advice on what to consider when hiring and overseeing service providers.

• Put it in writing:

Insist that appropriate security standards are part of your contracts. In GMR Transcription, for example, the FTC alleged that the company hired service providers to transcribe sensitive audio files, but failed to require the service provider to take reasonable security measures. As a result, the files – many containing highly confidential health-related information – were widely exposed on the internet. For starters, the business could have included contract provisions that required service providers to adopt reasonable security precautions – for example, encryption.

• Verify compliance:

Security can’t be a “take our word for it” thing. Including security expectations in contracts with service providers is an important first step, but it’s also important to build oversight into the process. The Upromise case illustrates that point. There, the company hired a service provider to develop a browser toolbar. Upromise claimed that the toolbar, which collected consumers’ browsing information to provide personalized offers, would use a filter to “remove any personally identifiable information” before transmission. But, according to the FTC, Upromise failed to verify that the service provider had implemented the information collection program in a manner consistent with Upromise’s privacy and security policies and the terms in the contract designed to protect consumer information. As a result, the toolbar collected sensitive personal information – including financial account numbers and security codes from secure web pages – and transmitted it in clear text. How could the company have reduced that risk? By asking questions and following up with the service provider during the development process.

9. PUT PROCEDURES IN PLACE TO KEEP YOUR SECURITY CURRENT AND ADDRESS VULNERABILITIES THAT MAY ARISE:

Securing your software and networks isn’t a one-and-done deal. It’s an ongoing process that requires you to keep your guard up. If you use third-party software on your networks, or you include third-party software libraries in your applications, apply updates as they’re issued. If you develop your own software, how will people let you know if they spot a vulnerability, and how will you make things right? FTC cases offer points to consider in thinking through vulnerability management.

• Update and patch third-party software:

Outdated software undermines security. The solution is to update it regularly and implement third-party patches. In the TJX Companies case, for example, the FTC alleged that the company didn’t update its anti-virus software, increasing the risk that hackers could exploit known vulnerabilities or overcome the business’s defenses. Depending on the complexity of your network or software, you may need to prioritize patches by severity; nonetheless, having a reasonable process in place to update and patch thirdparty software is an important step to reducing the risk of a compromise.

• Heed credible security warnings and move quickly to fix them:

When vulnerabilities come to your attention, listen carefully and then get a move on. In the HTC America case, the FTC charged that the company didn’t have a process for receiving and addressing reports about security vulnerabilities. HTC’s alleged delay in responding to warnings meant that the vulnerabilities found their way onto even more devices across multiple operating system versions. Sometimes, companies receive security alerts, but they get lost in the shuffle. In Fandango, for example, the company relied on its general customer service system to respond to warnings about security risks. According to the complaint, when a researcher contacted the business about a vulnerability, the system incorrectly categorized the report as a password reset request, sent an automated response, and marked the message as “resolved” without flagging it for further review. As a result, Fandango didn’t learn about the vulnerability until FTC staff contacted the company. The lesson for other businesses? Have an effective process in place to receive and address security vulnerability reports. Consider a clearly publicized and effective channel (for example, a dedicated email address like security(@)yourcompany.com) for receiving reports and flagging them for your security staff.

10. SECURE PAPER, PHYSICAL MEDIA, AND DEVICES:

Network security is a critical consideration, but many of the same lessons apply to paperwork and physical media like hard drives, laptops, flash drives, and disks. FTC cases offer some things to consider when evaluating physical security at your business.

• Securely store sensitive files:

If it’s necessary to retain important paperwork, take steps to keep it secure. In the Gregory Navone case, the FTC alleged that the defendant maintained sensitive consumer information, collected by his former businesses, in boxes in his garage. In Lifelock, the complaint charged that the company left faxed documents that included consumers’ personal information in an open and easily accessible area. In each case, the business could have reduced the risk to their customers by implementing policies to store documents securely.

• Protect devices that process personal information:

Securing information stored on your network won’t protect your customers if the data has already been stolen through the device that collects it. In the 2007 Dollar Tree investigation, FTC staff said that the business’s PIN entry devices were vulnerable to tampering and theft. As a result, unauthorized persons could capture consumer’s payment card data, including the magnetic stripe data and PIN, through an attack known as “PED skimming.” Given the novelty of this type of attack at the time, and a number of other factors, staff closed the investigation. However, attacks targeting point-of-sale devices are now common and well-known, and businesses should take reasonable steps to protect such devices from compromise.

• Keep safety standards in place when data is en route:

Savvy businesses understand the importance of securing sensitive information when it’s outside the office. In Accretive Health, for example, the FTC alleged that an employee left a laptop containing more than 600 files, with 20 million pieces of information related to 23,000 patients, in the locked passenger compartment of a car, which was then stolen. The CBR Systems case concerned alleged unencrypted backup tapes, a laptop, and an external hard drive – all of which contained sensitive information – that were lifted from an employee’s car. In each case, the business could have reduced the risk to consumers’ personal information by implementing reasonable security policies when data is en route. For example, when sending files, drives, disks, etc., use a mailing method that lets you track where the package is. Limit the instances when employees need to be out and about with sensitive data in their possession. But when there’s a legitimate business need to travel with confidential information, employees should keep it out of sight and under lock and key whenever possible.

• Dispose of sensitive data securely:

Paperwork or equipment you no longer need may look like trash, but it’s treasure to identity thieves if it includes personal information about consumers or employees. For example, according to the FTC complaints in Rite Aid and CVS Caremark, the companies tossed sensitive personal information – like prescriptions – in dumpsters. In Goal Financial, the FTC alleged that an employee sold surplus hard drives that contained the sensitive personal information of approximately 34,000 customers in clear text. The companies could have prevented the risk to consumers’ personal information by shredding, burning, or pulverizing documents to make them unreadable and by using available technology to wipe devices that aren’t in use.

A summary on Federal Trade Commission:

STATUTE	FEDERAL TRADE COMMISSION
FEDERAL TRADE COMMISSION ACT (15 U.S.C. §41 et seq.)
Cease and Desist	administrative cease and desist authority [§5(b) FTCA]
Injunctive (and Other Equitable) Relief	judicially ordered injunctive relief [§13(b) FTCA; also §5(l) FTCA (for violations of cease and orders)]
Redress	judicially ordered redress [§13(b) FTCA]
Rulemaking	[§6(g) FTCA]
Civil Penalties	judicially ordered civil penalties for violating cease and desist orders [§5(l) FTCA; Commission Rule 1.98(c)]
Criminal Penalties	referral to U.S. Department of Justice [§16(b) FTCA]
CLAYTON ACT (15 U.S.C. § 12 et seq.)
Cease and Desist	administrative cease and desist authority [§11(b) Clayton Act]
Injunctive (and Other Equitable) Relief	judicially ordered injunctive relief [§13(b) FTCA; also §7A(g)(2) Clayton Act (for HSR reporting violations) and §11(l) Clayton Act (for violations of cease and desist orders)]
Damages
Civil Penalties	judicially ordered civil penalties for violating cease and desist orders [§11(l) Clayton Act and Commission Rule 1.98(b); also §7A(g)(1) Clayton Act (for HSR reporting violations) and Commission Rule 1.98(a)]

APPENDIX B

SYNOPSIS OF CONSUMER PROTECTION ENFORCEMENT AUTHORITY UNDER THE FEDERAL TRADE COMMISSION ACT

STATUTE	FEDERAL TRADE COMMISSION
FEDERAL TRADE COMMISSION ACT (15 U.S.C. §41 et seq.)
Cease and Desist	administrative cease and desist authority [§5(b) FTCA]
Prosecution
Injunctive (and Other Equitable) Relief	judicially ordered injunctive relief [§13(b) FTCA; also §13(a) FTCA (for violations of §12(a) FTCA) and §5(l) FTCA (for violations of cease and desist orders)]
Rulemaking	[§18 FTCA]
Redress	judicially ordered redress [§13(b) FTCA; also §19(a)(1) FTCA (for rule violations) and §19(a)(2) FTCA (for "fraudulent or dishonest" conduct)]
Civil Penalties	judicially ordered civil penalties for violating cease and desist orders [§5(l) FTCA and Commission Rule 1.98(c); also §5(m)(1)(A) FTCA (for violations of trade regulation rules) and Commission Rule 1.98(d); also §5(m)(1)(B) FTCA (for violations of adjudicatory cease and desist orders by non-parties) and Commission Rule 1.98(e)]
Criminal Penalties	referral to U.S. Department of Justice [§16(b) FTCA]